Warning: Undefined variable $html in /usr/share/nginx/html/lib/plugins/tabinclude/helper.php on line 240

Wordpress

Common Wordpress Issues
global/restrictions.conf
Permalinks/Rewrites
XMLRCP.php
Add Admin User Manually

Quick Wordpress Files Download

Change /var/www/html to the directory you wish to download the latest wordpress files and the following command will download the files

        
              wget -O - https://wordpress.org/latest.tar.gz | tar -xzf - -C /var/www/html --strip-components=1

Wordpress Permissions

Replace ${WP_ROOT} with the directory location of wordpress. If you are already in the wp document root, replace with a dot .

        
              find ${WP_ROOT} -exec chown :apache {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;

Auto Install Plugins (without FTP/FTPs details)

vim /var/www/vhost/website/wp-config.php

        
              define('FS_METHOD', 'direct');

Install Plugins with FTP (auto)

        
              define('FTP_BASE', '/var/www/vhosts/example.com/httpdocs/');
define('FTP_CONTENT_DIR', '/var/www/vhosts/example.com/httpdocs/wp-content/');
define('FTP_PLUGIN_DIR ', '/var/www/vhosts/example.com/httpdocs/plugins/');
#define('FTP_PUBKEY', '/var/www/vhosts/example.com/httpdocs/.ssh/id_rsa.pub');
#define('FTP_PRIKEY', '/var/www/vhosts/example.com/httpdocs/.ssh/id_rsa');
define('FTP_USER', 'FTPusername');
define('FTP_PASS', 'FTPpassword');
define('FTP_HOST', 'localhost');
define('FTP_SSL', false);

WP Memory Limit

To increase the memory limit for wordpress you should first change the php.ini file.

If that does not work you should add the following to your wp-config.php file

        
              define( 'WP_MEMORY_LIMIT', '96M' );

Change the memory limit value as required

Changing Site URL

Check the current URL, first select the database with the 'use' command (eg. use live_database;):

        
              SELECT * FROM wp_options WHERE option_name = 'siteurl' OR option_name = 'home' ;

Now we can update the URL:

1	`UPDATE wp_options SET option_value =` `'http://lukeslinux.co.uk'` `WHERE option_name =` `'siteurl'` `OR option_name =` `'home';`

Deterring wp-login attacks

Add the following to your htaccess.
The following code stops any ip address posting to your wp-admin page that does not have a referrer or user-agent set.
An example log entry is:

        
              x.x.x.x - - [23/Aug/2016:17:25:40 +1000] "POST /wp-login.php HTTP/1.0" 403 214 "-" "-"

Code:

        
              <IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?reaa\.com\.au [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

>> Go to this page.

https://codex.wordpress.org/Nginx

	include global/restrictions.conf;
	include global/wordpress.conf;

global/restrictions.conf

# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
	deny all;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
	deny all;
}

global/wordpress.conf

# WordPress single site rules.
# Designed to be included in any server {} block.
# Upstream to abstract backend connection(s) for php
upstream php {
        server unix:/tmp/php-cgi.socket;
        server 127.0.0.1:9000;
}

server {
        ## Your website name goes here.
        server_name domain.tld;
        ## Your only path reference.
        root /var/www/wordpress;
        ## This should be in your http block and if it is, it's not needed here.
        index index.php;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location / {
                # This is cool because no php is touched for static content.
                # include the "?$args" part so non-default permalinks doesn't break when using query string
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                include fastcgi.conf;
                fastcgi_intercept_errors on;
                fastcgi_pass php;
                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;
        }

        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
                expires max;
                log_not_found off;
        }
}

>> Go to this page.

XMLRPC

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism and its functionality is turned on by default since WordPress 3.5.
XML-RPC is an API - this API gives developers and services the ability to talk to a wordpress site

Examples where XML-RPC functionality is needed:
XML-RPC functionality is primarily used for three common reasons:

Pingbacks/trackbacks (great for Viagra spam, DDoS attacks, and not much else)
Jetpack (an all-in-one solution to slowing down and/or bloating your WordPress site with third-party scripts)
WP mobile apps

More information on XML-RPC API for wordpress can be found: https://codex.wordpress.org/XML-RPC_WordPress_API

What is an xmlrpc attack?

xml-rpc can use system.multicall - this can be used to execute multiple methods inside a single request. This allows applications to pass multiple commands with one http request.
This means that potential bots and hackers can use the system.multicall method to guess 100's or 1000's of passwords with a single http request
Hackers can attempt thousands of password attempts with just a 3-4 http request. These requests bypass security tools designed to block brute force attempts. These requests will have 1 entry per request in the log file.
NOTE: Your systems load average may increase significantly during one of these attacks. It may be a little hard to initially diagnose the issue as apache is NOT hitting max clients. Remember to investigate the access logs and see if there are lots of POST requests to XMLRPC.php!

—
NOTE: WordPress, Drupal and most content management systems support XML-RPC.
It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages.

Checking apache and nginx logs for xmlrpc

        
              awk '/xmlrpc.php/ {REQ[$1" "$6" "$7]++}END{for (i in REQ) print REQ[i],i}' /var/log/httpd/*access*log | sort -n | tail -25

Basic configuration:

        
              To prevent xmlrpc attacks add the following to a .htaccess
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

If you have application or plugins or you are a hosting reseller then you will want to add something similar to the code below. This code allows the wordpress IP range (current IP range, this could change) and denies potential attacks:

Apache .htaccess:

        
              <Files "xmlrpc.php">
Order Deny,Allow
Deny from all
Allow from 192.0.64.0/18
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</files>

Nginx
Deny all through nginx

        
               location = /xmlrpc.php {
    deny all;
    access_log off; #to prevent from filling up the access log file
    error_log off; #to prevent from filling up the error log file
}

Allowing Wordpress IPs

        
               location = /xmlrpc.php {
    allow 192.0.64.0/18;
    deny all;
    access_log off; #to prevent from filling up the access log file
    error_log off; #to prevent from filling up the error log file
}

JetPack

This wordpress plugin does come with xmlrcp.php protection from brute force.
Note: This is SITE specific and will note cover system wide wordpress sites.
Jet pack: https://wordpress.org/plugins/jetpack/

Wordfence

##CURRENTLY INVESTIGATING ##
I believe it costs around $5 a month
This can also be used to block an attempted attack on XMLRPC

References:
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/
http://wptavern.com/its-time-for-xml-rpc-in-wordpress-to-hit-the-road
https://www.saotn.org/huge-increase-wordpress-xmlrpc-php-post-requests/ - READ